Views:

Migrate from the legacy Active Directory Connector to the Identity Security Sensor - Active Directory to continue forwarding security event information from on-premises Active Directory servers to TrendAI Vision One™.

The Active Directory Connector is no longer supported as of May 1, 2026. After this date:
  • The Active Directory Connector may stop functioning at any time without further notice.
  • No fixes or updates will be provided for the Active Directory Connector.
  • New features and threat detections for Active Directory activity data will be added to the Identity Security Sensor only.
The Identity Security Sensor - Active Directory is built into the TrendAI Vision One™ Endpoint Security agent and replaces the need for a standalone Active Directory Connector installation.
The following procedure describes how to enable the Identity Security Sensor on your Active Directory servers, verify that security events are forwarding correctly, and then remove the legacy Active Directory Connector from both your servers and the TrendAI Vision One™ console.
Ensure the following requirements are met before starting the migration:
  • The TrendAI Vision One™ Endpoint Security agent is deployed on all Active Directory domain controller servers in your network.
    The following agent types support the Identity Security Sensor - Active Directory at the specified minimum versions:
    Agent type
    Minimum version (Windows)
    Standard Endpoint Protection
    14.0.0.20372 or later
    Server & Workload Protection
    20.0.2-26670 or later
    Endpoint Sensor
    1.2.0.6967 or later
  • Active Directory integration is enabled in TrendAI Vision One™ (Workflow and AutomationThird-Party IntegrationsActive Directory (on-premises)).
  • Data synchronization and user access control is configured. For details, see Configure data synchronization and user access control.
  • An endpoint security policy exists for your Active Directory servers.
Important
Important
Enable Identity Security Sensor - Active Directory only in policies applied to Active Directory domain controller (DC) servers, since only DC endpoints generate Active Directory security events. Enabling the sensor on non-DC (workstation and member server) endpoints provides no additional security value.
TrendAI™ recommends maintaining a dedicated endpoint security policy for DC servers with the sensor enabled, and keeping the sensor disabled in policies applied to other endpoints.
Tip
Tip
TrendAI™ recommends enabling the Identity Security Sensor first and verifying that it is functioning correctly before uninstalling the legacy Active Directory Connector. This ensures continuity of security event forwarding throughout the migration.

Procedure

  1. Enable the Identity Security Sensor.
    1. Go to Endpoint SecurityEndpoint Security ConfigurationEndpoint Security PoliciesPolicies.
    2. Select the policy assigned to your Active Directory servers, or create a new policy.
    3. From the Identity Security Sensor drop-down list, select Enable.
    4. Save the policy.
  2. Verify that the Identity Security Sensor is working.
    1. Go to Identity SecurityIdentity Inventory.
    2. Select Active Directory (on-premises).
    3. Confirm that the Security Event Forwarding connection status is Healthy for your domain.
  3. Uninstall the Active Directory Connector from each server.
    After confirming that the Identity Security Sensor is forwarding events correctly, uninstall the legacy Active Directory Connector.
    1. On the Windows server, go to Control PanelPrograms and FeaturesUninstall a program.
    2. Find the entry for TrendAI Vision One™ Active Directory Connector, right-click it, and select Uninstall.
    3. Repeat for all servers that have the Active Directory Connector installed.
    Note
    Note
    No reboot is required.
  4. Remove Active Directory Connector entries from TrendAI Vision One™.
    After uninstalling the Active Directory Connector from your servers, remove the connector entries from the console.
    1. Go to Workflow and AutomationThird-Party IntegrationsActive Directory (on-premises)Security Event Forwarding.
    2. Click the Remove icon next to each connector entry.
    3. Click Save.
    Important
    Important
    If connector entries are not removed:
    • The notification banner continues to display in the console.
    • The connection status in Identity Inventory shows as Unhealthy for removed or offline connectors.

Next steps

Identify servers with Active Directory Connector still installed
To check which servers still have the Active Directory Connector installed:
  1. Go to Workflow and AutomationThird-Party IntegrationsActive Directory (on-premises).
  2. Select Security Event Forwarding.
The list shows all servers that currently have or previously had the Active Directory Connector installed:
  • Healthy: Servers actively sending telemetry to TrendAI Vision One™.
  • Unhealthy: Servers that are offline or have uninstalled the agent.
Frequently asked questions
Does enabling the Identity Security Sensor cost credits?
No. Enabling the Identity Security Sensor alone does not allocate credits. Other functions enabled in the same policy, such as XDR for Endpoints (EDR), may cost credits.
Are response actions affected by the migration?
No. Response actions such as disabling user accounts and forcing password resets are handled by the Service Gateway's Data Synchronization & User Access Control, not the Active Directory Connector.
Is Entra ID affected?
No. This migration applies to on-premises Active Directory only. Entra ID connections are not impacted.
What happens if the Active Directory Connector is still installed after the deprecation date?
The Active Directory Connector continues to send telemetry data to TrendAI Vision One™. However, this can stop functioning at any time without notice. If you encounter any issues, TrendAI™ recommends enabling the Identity Security Sensor rather than troubleshooting the Active Directory Connector, which no longer receives fixes or updates.